I'm still finding my voice on this Web site, but my primary focus will be on what I think is most missing: fundamental security strategy within companies and its effective execution. I am very much in favor of the capabilities new and innovative products can provide, but I find their implementation in many organizations is haphazard; the products lead the implementation calendar rather than allowing internal teams to find the right products that fit into an overall, strategy that prioritize the rollout of its component parts.

For example, there are organizations which provide privileged access to all users and have no Web filtering, yet they are asking about high end data leakage protection (DLP) products. Companies may have no patch management and no validation of their anti-virus, yet they want to discuss high end log review security information and event management (SIEM) products. Many companies are not doing intrusion detection at all, doing it in baffling ways, or outsourcing it to providers who aren't actually monitoring anything. In most cases all of these things should be part of a strategy, but more complex projects will only be successful if built on a foundation of getting the basics right.

Those basics involve the somewhat less sexy implementation of security policies, awareness programs, communication plans, and other aspects of information security programs that people try to run from because they are uncomfortable, they involve the entire organization, and they require putting oneself in a position of leadership.

So there are security teams looking busy but crippled by the lack of organizational power afforded them in the environment they're in and by the inability to set their own reasonable agenda, and thus not advancing the state of security within their organizations. There are people responsible for information security in different areas of the enterprise, but organizationally it's implemented without central strategic leadership in the form of a CISO. I hope I will support these teams by showing that many security events that get highlighted in the media are not caused by some especially advanced attacker but rather by exploiting simple, fixable and preventable vulnerabilities. And even when the attack is advanced, in many cases the incident response, forensics response, and corporate handling of the event leave room for improvement.

How are you finding the experience of writing regularly for public consumption?

It is difficult, both from the perspective of clearing time to write and in trying to create content that is meaningful without appearing to sell something, parrot back old content, or publish unsubstantiated personal opinions without a relevant story from experience or an observed condition.

I got back into writing seriously while in the Masters of Science in Information Assurance program up at Norwich University in Vermont, which had as part of its curriculum a demanding schedule of writing security papers as well as a strict evaluation of that writing. That training made creating 1,000 word essays easier.

That said, putting ideas before the public, especially controversial ideas, and seeing how people react is interesting. With publishing on a Web site, there are some readers whose comments are not well thought out or are silly, but sifting through user responses is always made worthwhile when you hit upon someone who posts a reaction that requires you either to defend your position more effectively or even causes you to radically reassess the way you've been approaching a topic.

* * *

Daniel Kennedy, MSIA, CISSP, CEH leads initiatives in policy and operational security management, directs strategy on risk assessment and certification, and is head of business continuity planning and disaster recover objectives at Praetorian Security Group, LLC.

SPECIAL REQUEST: If you like my columns, please support the Semper Fi fund to help wounded US Marines. Give online to support Norwich University student Zach Wetzel in his fund-raising marathon run.